Description of problem: Version-Release number of selected component (if applicable): ovirt-engine-3.5.0-0.0.master.20140821064931.gitb794d66.el6.noarch How reproducible: always Steps to Reproduce: 1. Have at least two AD domains with trust. 2. Create group in AD1. 3. Create user in AD2, who is part of group from AD1. 4. Add group to engine and assign it permissions. 5. Try to login as user from AD2. Actual results: User don't inherit group permissions and thus error messages: "User is not authorized to perform this action." is shown. Expected results: User inherit permissions from group and successfully login. Additional info: [root@om-rh35 profiles]# ldapsearch -LLL -x -h 10.34.63.245 -p 389 -D Administrator.lab.eng.brq.redhat.com -W -b 'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "CN=TopLevelGroup" dn: CN=TopLevelGroup,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=re dhat,DC=com objectClass: top objectClass: group cn: TopLevelGroup member: CN=topLeveluser topLeveluser,CN=Users,DC=ad-w2k12r2pc,DC=ad-w2k12r2p,D C=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com member: CN=user1FirstName user1LastName,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab, DC=eng,DC=brq,DC=redhat,DC=com distinguishedName: CN=TopLevelGroup,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=e ng,DC=brq,DC=redhat,DC=com ldapsearch -LLL -x -h 10.34.63.33 -p 389 -D Administrator.lab.eng.brq.redhat.com -w Heslo123 -b 'DC=ad-w2k12r2pc,DC=ad-w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "sn=topLeveluser" dn: CN=topLeveluser topLeveluser,CN=Users,DC=ad-w2k12r2pc,DC=ad-w2k12r2p,DC=rh ev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: topLeveluser topLeveluser sn: topLeveluser 2014-08-28 13:07:34,230 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User AD-W2K12R2PC\topLevelUser failed to log in. 2014-08-28 13:07:34,232 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-8) CanDoAction of action LoginUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Hi, Please use more generic subject when opening bugs, please do not add trailing dots. Also, marking new features (not existed in previous stable versions) as severity high is kind of strange. Thanks,
user should have memberOf while topLeveluser does not have this attribute. group is not important in this case.
In this case you should query global catalog[1] $ ldapsearch -LLL -x -h 10.34.63.245 -p 3268 -D Administrator.lab.eng.brq.redhat.com -w Heslo123 -b 'DC=ad-w2k12r2pc,DC=ad-w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "sn=topLeveluser" dn: CN=topLeveluser topLeveluser,CN=Users,DC=ad-w2k12r2pc,DC=ad-w2k12r2p,DC=rh ev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: topLeveluser topLeveluser sn: topLeveluser givenName: topLeveluser distinguishedName: CN=topLeveluser topLeveluser,CN=Users,DC=ad-w2k12r2pc,DC=ad -w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com instanceType: 0 whenCreated: 20140828101522.0Z whenChanged: 20140828103942.0Z displayName: topLeveluser topLeveluser uSNCreated: 231373 memberOf: CN=TopLevelGroup,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq ,DC=redhat,DC=com uSNChanged: 231470 name: topLeveluser topLeveluser objectGUID:: WUGCFnhhdkW9hPAbZ4fmdA== userAccountControl: 66048 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAHmtufYB1Jk9DP9w1XQQAAA== sAMAccountName: topLeveluser sAMAccountType: 805306368 userPrincipalName: topLeveluser.rhev.lab.eng.brq.redh at.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad-w2k12r2,DC=rhev,DC= lab,DC=eng,DC=brq,DC=redhat,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130536959670245415 [1] http://msdn.microsoft.com/en-us/library/ms677943.aspx#memberOf
the plan was for these who needs cross domain queries, to set up the authz pool to gc: pool.default.serverset.srvrecord.service = gc however, unlike in documentation active directory's gc does not contain a full Configuration subtree, it also does not contain local domain group membership. since the above information is missing query against any single ldap is incomplete. in order to have cross domain group, I will add another set of pools to query, this will reduce performance as the implementation will need to query more than one ldap to obtain all information. user will require to set both "standard" ldap pool and one "additional" (gc) ldap pool in this case.
README +Global catalog lookup can be enabled to support inter-forest group +resolution. Not enabled by default as it has performance costs. Add the +following to authz extension configuration: + + config.globals.000.ad_enable_gc = true
I can't get it work. I have - config.globals.000.ad_enable_gc = true , in autz properties. I add group with permissions. Then I try to login as user from group, and engine is not quering gc. #tcpdump -l -s 65535 -A -vv port 3268 -w gc.cap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 0 packets captured Are there any other special configurations?
you should first see that the gc pool is created. anyway, a log would be nice...
Created attachment 936455 [details] engine startup log
Created attachment 936456 [details] login as user from group log
I am unsure you are using a version of the ldap provider with that fix, what hash do you use?
[root@om-rh35 extensions.d]# rpm -qi ovirt-engine-extension-aaa-ldap Name : ovirt-engine-extension-aaa-ldap Relocations: (not relocatable) Version : 0.0.0 Vendor: Red Hat, Inc. Release : 0.0.2.master.el6_5 Build Date: Sun 24 Aug 2014 12:33:55 PM CEST It's not there, build date is Sun 24 Aug 2014 12:33:55. Fix is 31.8...
this is not vt3
the current build was not included in vt3 due to engine dependency issue. I will rebuild and republish. sorry, I was not aware that it was not pulled.
was included in vt3.1, great.
Works fine in vt3.1 with line config.globals.000.ad_enable_gc = true in authz extension.
oVirt 3.5 has been released and should include the fix for this issue.